January 6, 2014

Configure Stateful Firewall

iptables Configuration Files

Contains persisted kernel filtering rules.

Contains configuration for iptables.

List iptables filtering rules

iptables -vnL --line-numbers


  1. v - verbose, if not used you will, e.g. for which interface the rule applies. Every system have atleast two interfaces: loopback and eth0.
  2. n - numeric values
  3. L - list

Basic iptables

iptables divides traffic into 3 catogories: INPUT, FORWARD and OUTPUT.

  1. INPUT. Is for incoming traffic.
  2. FORWARD. Is traffic passing through, typical scenario is a router.
  3. OUTPUT. Is outgoing traffic.

Each category (or formely chain) has a default action (or formely target): ACCEPT, DROP and REJECT is the most common.

Then for each category you define a list of rules. The list is strictly ordered, which means if rule number 3 of 6 matches, the looping of the list is ended and the action is applied, that is defined for rule.


Lets get started with an open system, where the default action is ACCEPT.

First we accept all incoming traffic to loopback interface.

ACCEPT all already establed/ongoing conversation.

If you want to enable PING, add below.

Accept SSH in port 22, but only from LAN (192.168.122.*)

If you need VNC it is working in port 5900, and accept only connections from LAN (192.168.122.*)

Finally we need to add either a REJECT or DROP rule at the end since our default action to ACCEPT incoming traffic.

And the same thing goes for FORWARD.

If you have above typed some typo, e.g. line number 4, you delete that row with.

And if you need to insert a specific rule at specific row, e.g. line number 4.


To test your firewall you can for example use nmap. Take notice though that you are not violating any policy when using a port scanning utility.

Make persistent

Write rules to /etc/sysconfig/iptables.

And if you really want to make sure that the new configuration is loaded restart iptables service.


Logging firewall activity is a great way to debug your configuration. But beware if used on a production machine connected to Internet, you should make room for a big log partition.

I will insert the log action just before mine INPUT REJECT, wich is for me on line 5.

Now you can tail the default syslog log.

No comments: